After “No”

by Ben SiegelAugust 28, 2019September 2, 2019

Part of a privacy professional’s job is the development of
processes and policies to manage the consent of an individual. When someone
does consent to their information being processed, there should be a means to
record that they have done so and also a way for that individual to revoke
their consent or opt-out of processing. However, what often gets overlooked is
the idea of what you do when someone declines to opt-in at all.

When someone states that they do not want their information
processed, there are a few things to do. First, you should record that
non-consent. This allows you to go back and know they opted-out, preventing
confusion later where their data may be collected from another source and
cross-referenced with an existing database. Things can get messy when you
disobey the wishes of a data subject, sending them information when told
specifically not to. Small mistakes may be an accident, but it is doubtful that
repeated offenses of this nature would be brushed off as simple accidents.

Once you know they opted-out or did not consent, that is not
the end of it, however. First, we need to check back on the definition of what
personal information is. Each jurisdiction will have a different definition,
even if only slightly. The key thing to look for here is what information IS
NOT considered PII. The reason this is the case is that you may
want to still process information that is not PII. This could be information
that is not relatable back to an individual. This means you could still process
the general location information about a person, provided it is not specific
enough to be related to them. Essentially, you may still have some useful
information that was collected that can be processed without the identifying
information.

Make sure to consult with your legal team before doing any
processing of information. As stated before-hand, making a simple mistake will
be seen as more than just an accident in the legal authorities’ opinion. Also, be
sure to consider if it is necessary or beneficial to engage in this processing.
It may not be useful to know what kind of people are not opting-in or
consenting.